meineerde

For the used SSL certificate to be valid, we need to use the externally visible hostname when accessing the homematic GUI. Thus, we need to configure this external hostname as the server's hostname, even if the server is only available on our internal network.

Be careful when exposing your actual homematic instance to the outside world without further safe-guards. Usually, it should only be accessible on the internal network.

Create a self-signed certificate

Go to Einstellungen -> Systemsteuerung -> Netzwerkeinstellungen. There, you can create a self-signed certificate. Enter the hostname, your email address, and your country. The latter two values are ratehr unimportant here.

We need this certificate so that the webserevr is cionfigured correctly and we have a template file which we can later overwrite with our actual SSL certificate from Let's Encrypt.

meineerde

# In HAProxy 1.5, we have to jump through some hops to accomplish a rewrite of a request's path...
# We use a temporary header to build our new path from the existing one in the request
# and then directly perform a redirect

# Clean the request and remove any existing header named X-Rewrite
http-request del-header X-REWRITE

# Copy the full request URL into the X-REWRITE request header unchanged
http-request add-header X-REWRITE %[url] if { path_beg /foo }

meineerde

curl 'https://t.co/9POr0MKZof' \
  -H 'authority: t.co' \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'upgrade-insecure-requests: 1' \
  -H 'dnt: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36' \

meineerde

acl httponly_cookie res.hdr(Set-Cookie),lower -m sub httponly
rspirep ^(set-cookie:.*) \1;\ HttpOnly if !httponly_cookie

meineerde

brew install rbenv/tap/openssl@1.0
brew install gcc@6
brew install ruby-install

"Patch" ruby-install:

$EDITOR /usr/local/Cellar/ruby-install/0.8.1/share/ruby-install/ruby/functions.sh

meineerde

# Are quotes escaped?
escaped_quotes = True

haproxy_re = (r'haproxy\[(?P<pid>\d+)\]: '
r'(?P<client_ip>(\d{1,3}\.){3}\d{1,3}):(?P<client_port>\d{1,5}) '
r'\[(?P<date>\d{2}/\w{3}/\d{4}(:\d{2}){3}\.\d{3})\] '
r'(?P<listener_name>\S+) (?P<server_name>\S+) '
r'(?P<Tq>(-1|\d+))/(?P<Tw>(-1|\d+))/(?P<Tc>(-1|\d+))/(?P<Tr>(-1|\d+))/'
r'(?P<Tt>\+?\d+) '
r'(?P<HTTP_return_code>\d{3}) (?P<bytes_read>\d+) '

meineerde

require 'set'

class MyArray < Array 
  def my_flatten(level = -1)
    level = Integer(level)
    return self.dup if level == 0

    flattened_array = self.class.new
    recursively_flatten(self, flattened_array, level)
    flattened_array

meineerde

frontend foo
  bind :443 ssl crt /path/to/certs

  # Ensure we have a clean state to start with
  http-request del-header X-SERVER-SNI

  # Set the concatenated value of the SNI value to a temporary header
  http-request set-header X-SERVER-SNI haproxy.%[ssl_fc_sni] if { ssl_fc_sni -m found }

  # Set the value of the header to a transaction-level variable

meineerde

acl from_internal_network src 192.168.0.0/16
acl restricted_path path -m reg ^/+admin/

http-request deny if restricted_path ! from_internal_network

meineerde

frontend http
  mode http
  bind :443 ssl crt /etc/haproxy/ssl

  acl outdated_cipher ssl_fc_cipher -i -m sub rc4

  # define a maximum waiting period
  tcp-request inspect-delay 10s

  # accept the connection immediately if the client doesn't use an outdated cipher